Strong Passwords Not As Good As You Think 553
Jamie noticed that Bruce Schneier wrote a piece on a paper on strong passwords that tells us that the old 'strong password' advice that many of us (myself included) regard as gospel might not be as true as we had hoped. They make things hard on users, but are useless against phishing and keyloggers. Everyone can change their password back to 'trustno1' now.
Re:News at 11 (Score:5, Interesting)
I met Bruce Schneier in an elevator once (Score:1, Interesting)
and he autographed my copy of Applied Crypto for me, and he copied a little puzzle inside the front cover. It was a 3x3 matrix of numbers. I could never make heads nor tail of it. Has anyone else seen this and solved it? I'm at work so I do not have my copy of applied crypto with me, or I'd attempt to post the puzzle.
Defense-in-depth (Score:3, Interesting)
Passwords that are too weak of course invite brute-force attacks. However, we find that relatively weak passwords, about 20 bits or so, are sufficient to make brute-force attacks on a single account unrealistic so long as a "three strikes" type rule is in place.
This may be statistically true, but isn't it missing the point of defense-in-depth? Why rely on three-strikes to catch brute force attempts, when you can also have a password that resists brute force in the first place.
Re:News at 11 (Score:5, Interesting)
This kind of thinking is, well, disappointing. Yes, it would be "easier" for you the user to not need such a strong password. That would be one way of looking at it. I think it would be easier, too, if I didn't need to look both ways for pedestrians while backing out of my driveway every day. What are the chances that I'm going to hit a pedestrian? Pretty small, but I need to look for them anyway.
There are just some things that we all have to do, even if they are "hard." So may I suggest that instead of complaining that passwords are too hard to remember, perhaps you could try using a couple of tools.
1. Use something like password safe for all those "useless" passwords. You know, the ones for Yahoo, Google, Slashdot, etc.
2. Teach yourself an easy way to create complex passwords. Use the first letter of each word in a silly phrase like "Snoopy Prefers @nchovies 0n his 8rick Oven pizza." (SP@0h8Op) Or pick some other way of remembering these things.
3. Or, install a backup camera so you don't need to look around for those pedestrians.
Just my 2 cents.
Re:News at 11 (Score:4, Interesting)
Dict' attack is sooooo 2000 (Score:4, Interesting)
Nobody brute forces anymore. Nobody. Any sensible password challenge/response system (I doubt there is such a thing if it relies only on that, but I ramble...) will lock you out and disable the account after so many tries, and usually the amount of tries is far lower than the threshold where guessing yields a meaningful chance to succeed. If it doesn't, steer clear of such a system altogether, if it doesn't come up with one of the simplest security "features", it probably is hellish insecure altogether.
Take, just for example, various game account or freemail system that let you retry infinitly, because their support would be flooded if they locked you out after 3 tries. Yes, you could keep guessing. And probably it is done. So a "strong" password means more security. Usually, no. Because they invariably also feature some braindead password recovery feature (ya know, the supersecret questions like "what was the name of your pet dog", again with infinite tries) that is usually even easier to defeat than the password guessing game.
You can, essentially, really go back to "12345" style passwords. There are way more than three possible easy to remember passwords, from birthdays to loved ones' names to even your CC pin number, and three being the usual number of retries before lockout. And without lockouts, the average "guess-hacker" won't go for your password. They go for the other venues that are usually far easier to break.
yup (Score:3, Interesting)
Forcing users to change passwords does nothing against keyloggers either. But it definitely makes it easier to tell when a user has changed their password.
They'll type the current known password, then tab or click, then type some new cryptic garbage, then tab or click, then the same cryptic garbage.
But the worst possible password constraint I can think of is limiting the maximum number of allowed characters. I can think of absolutely no good reason for this restriction, yet large companies, such as Cedar Point's online reservation system posses this restriction.
It's what the password's strong against (Score:4, Interesting)
Conventional "strong" passwords protect against someone trying to guess or brute-force the password. They're really good at this.
The problem is, few attackers try to guess or brute-force passwords anymore. It's too time-consuming and too readily detected. Most of them will try to get you to tell them the password by one means or another. Phishing e-mails, keyloggers, traffic sniffing, man-in-the-middle attacks, the whole point of all of them's to get your password directly without having to figure out what it is. And against that sort of attack, "secret" is precisely, exactly as secure as "wkL3jfo*Zle". To guard against those attacks you need to strengthen things other than the password itself. And part of what you have to harden against attack is the user themselves, which makes it unlikely you'll succeed.
Re:News at 11 (Score:5, Interesting)
Get yourself a little password bruteforcing app. One that does ZIP files as a starter as they are nice and easy.
Play with it. It'll brute force dictionary passwords instantly. 8 letters in a couple of hours. 6 letters in a few minutes. On a crappy HP laptop, I might add.
Add some CAPS, numbers etc and watch the times go in weeks, months, years.
Re:News at 11 (Score:3, Interesting)
Glad to see you read the first paragraph of my post. Did you happen to see the end, where I said that I agreed with the paper, increasing password complexity doesn't solve the problems that we face today, and that I'm engaging my management with an eye towards changing our password policy?
But, since you brought it up, sure those don't change, but we have all sorts of information that we learn every day. If you're a programmer, you might have to learn a new technique, the parameters for a new method invocation, whatever. The password itself doesn't change for six months (in the parent's example), so while the first few days or so are a pain, it is possible to learn one new eight character "word" twice a year.
Passwords are FAR from perfect, but for most businesses, the alternatives are too costly to implement for the incremental gains. Biometrics always get mentioned, as do their inherent weaknesses (jello fingers, photocopies, etc.) PKI is perennially "next year's hot technology", but it never gets implemented because of the staggering costs and the inherent problems of determining who you really trust. One-time password tokens are a proven technology, but they're expensive to deploy, wear out after a fairly short time period, and are easily lost/stolen. All of the other technologies still have training and management issues for the users. Compared with those options, keeping passwords makes business sense.
The problem is that the same people who won't pay for other authentication methods also read in CIO Weekly about the latest brute-force attack that cracks 14 bajillion passwords a second, and they think that longer, more complex passwords equal better security. Same goes for the external auditors. Everyone's been schooled in longer=better when it comes to password strength, so that's all they care about. This is the mindset that needs to be changed, but it won't happen over night. I'm doing what I can for my users here, but the rest of you are on your own :-)
Re:News at 11 (Score:5, Interesting)
Re:News at 11 (Score:5, Interesting)
And I don't blame him sometimes. He was 60+, computers were not his forte and he had to come up with a password that:
A) Expired every 45 days
B) Could not be manually reset to a password that's been used within the last 20 passwords
C) 8+ characters long
D) Numbers
E) Capitals
Hell, I got 3-4 passwords that don't expire on the same sync so I'm slowly losing my mind trying to remember them within the 3 try lockout period. Sure, I can unlock myself but its still crap trying to do it.
Re:News at 11 (Score:5, Interesting)
Pick one good password, don't let it get cracked, and you'll be fine, and your users/co-workeres will be much happier
That's the way we run our network at home.
Unfortunately, at work it's different. There are several authentication empires large and small, each with differing password complexity requirements and with differing policies on password expiry and minimum difference from previous several passwords. There's the Oracle empire and the Siebel empire and the Notes empire, and two mutually-hostile LDAP empires. There are also a few minor authentication empires specific to other tools. There are probably other authentication empires/ghettoes for tools I don't interact with.
The longest password validity is 90 days, for some systems it's 60 days. The shortest password acceptable to any system is 8 characters. All require upper and lower case, some require number and/or punctuation as well. Some don't count an upper case character if it's the first character in the password. Others don't count a number or punctuation if it's the last character in the password. So upper case, number, and punctuation have to be in the middle. One system requires that at least two characters in the password change type in each update (e.g. number becomes letter). Another system does not ever allow re-use of old passwords, claiming unlimited memory of previous passwords.
The result? A few of the passwords are used regularly enough that they can be remembered, even with the updates every two or three months. Those used intermittently cannot be effectively commited to memory. So passwords are recorded on sticky notes under keyboards, scrawled on margins of wall calenders, on notepads in desk drawers, etc. Some keep them in plain-text files on their laptops. Our systems at home are more secure.